On Fri, 9 Apr 2004 10:33:03 -0500 "Matt Murphy" <mmurphy at tc-tech.com> wrote: > Way to be responsive to the needs of your users. Are you an > enabler in your company, or someone that people have to get through > to get their work done? Think about that the next time you don't get > promoted. You can be plenty safe without disallowing executable > files, and TRAINING (yes that means actually talking to users) is a > big part of that. Ok, I seemed to have painted myself into a corner. First off, the online upload/download area was demanded by my users because at the time the MTA couldn't handle the absolutely huge attachments these users were trying to send as attachments. They work at printing companies where 50-100 MB files are the norm. I wasn't the email admin for this system, nor did I want that job, so I built an online app to upload these huge attachments, with progress bars which made them happy. I would call that an enabling application. People started using this thing for transfering large files, executable files, whatever, instead of sending them as email attachments. When we switched servers and MTAs we thought about rejecting Windows executable content, we talked with our users and since they rarely used these files and there was an alternative way to transfer these files, they did not feel we were taking anything away. Most hopefully don't realize anything is different. If I were a full-time sysadmin for a large corporation, would I do this? Hell no. I run a very small server in comparison to what you probably work on, nor is it my full time job. My users are good folks who are not web developers or programmers, their email consists of pictures, mp3's and plain text, NOT executable content. Any executable content my users send or receive in an email has a 99.9% likeliness of being a virus. Unfortunately the server as it was before I inherited it was a security nightmare and often the target of numerous attacks and relay attempts, one of the biggest complaints from this user base was to fix this. Since implementing these policies I have not received one complaint from my user base about taking away anything and have been told things work much better. I know my user base, you know yours, I would expect you to be responsive to the needs or YOUR users, meanwhile I'll be responsive to mine. My solution, though certainly flawed, works for my system. I'm sorry if my OP was read as: "Do this, it'll work for everyone." > The day the latest big worm hit I was out for drinks with some > of my sysadmin friends, and they were all griping about how they > spent all day cleaning up viruses. That was the first I'd heard of > it, and we never got hit. Why is that? I have good security, good > A/V, good policies, and users that know what to look for, and know > that if they're the one that lets a virus through, it's their ass. I too believe that my policies are good, for my situation, I still use my AV, but only on what makes it past the MTA. I treat email security very similar to how I treat a firewall. Drop everything but what your users need. Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list